Citrix ADC | OCSP not working for Device Cert EPA Check with Nfactor
Article ID: CTX268939
Updated On:
Description
AAA Vserver is configured with EPA Device Check + OCSP is enabled on CA Cert.
With the above combination, EPA check fails.
If OCSP Binding is removed from CA Cert, and rest of the configuration left unchanged, EPA Check Passes.
No issues seen with OCSP Connectivity, nstrace (sample from LAB below) shows Client sending /epas request which trigger multiple OCSP requests in spite of receiving valid OCSP response. Client eventually times out and throws EPA error. (Note: Regardless of OCSP response is success (Cert Status Good) or failure (Revoked) we should not see repeated OCSP Requests. to validate a single client Device Cert)
Resolution
Fix in:
13.0.47.x – Released
12.1.56.x – Release timeline (Q1 2020)
NSHELP-20855: nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
Note:
If you are seeing just one request / response for OCSP then you are not hitting this issue.
This issue does not exist if EPA check is done with Classic Auth i,e, on Gateway Vserver.
13.0.47.x – Released
12.1.56.x – Release timeline (Q1 2020)
Problem Cause
Known Issue:NSHELP-20855: nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
Note:
If you are seeing just one request / response for OCSP then you are not hitting this issue.
This issue does not exist if EPA check is done with Classic Auth i,e, on Gateway Vserver.
Was this article helpful?
Yes
No
Powered by
